This CLIENT SERVICES AGREEMENT ("Agreement") is entered into as of the date indicated above (the “Effective Date”) by and between ISB Global Services Inc.,
LLC (“Service Provider”), and the above- named Client, and consists of this signature page and the attached Terms and Conditions, Applicable Service
Addendums, and as required per the services requested, applicable Local Country Agreements, Scopes of Work, Service Level Agreements, Addendums,
Exhibits and all other documents attached hereto, which are incorporated in full by this reference.
1. TERM. Except as set forth herein, this Agreement will become effective on the Effective Date and will
continue in full force and effect until it is terminated by either party pursuant to the terms contained herein, or until the expiration or termination
of all Service Addendums. The term of each Service Addendum and Local Country Agreement, if any, will commence on the date indicated therein and will
terminate in accordance with its terms (with respect to each Service Addendum and Local Country Agreement, and as the same may be extended pursuant to
the sentence immediately following, the “Termination Date”). Each Service Addendum and Local Country Agreement shall automatically renew in accordance
with its terms, if any. If a Service Addendum or Local Country Agreement does not specify the terms upon which automatic renewal shall occur, then such
Service Addendum or Local Country Agreement shall automatically renew upon the occurrence of the Termination Date, unless either party upon not less
than sixty (60) days written notice to the other party, indicates its intention not to renew such Service Addendum or Local Country Agreement.
Notwithstanding the termination of a Service Addendum or Local Country Agreement, the terms and conditions of this Agreement will remain in full force
and effect. In the event this Agreement is terminated, then all Service Addendums and Local Country Agreements shall be terminated as well.
2. FEES AND PAYMENT. Unless a Service Addendum or Local Country Agreement otherwise specifies fee and payment
provisions (which shall supersede the following terms only with respect to such Service Addendum or Local Country Agreement) Client shall make payment
to Service Provider in accordance with the following. Service Provider will send Client a monthly invoice for services rendered to Client during the
preceding calendar month. Client shall make payment within fifteen (15) days of the date of invoice. Amounts not paid after thirty (30) days when due
shall accrue interest at a rate of 15% per annum, provided however, that Client’s total liability for interest pursuant to this section shall not
exceed the limits imposed by applicable law. Any interest paid in excess of those limits shall be refunded to Client by applying a credit of the amount
of excess interest paid against any amounts outstanding in such invoice as Service Provider may require. If the amount of excess interest paid exceeds
any amounts outstanding, the portion exceeding those amounts shall be refunded in cash to Client. Fees for services rendered pursuant to this Agreement
are subject to change upon the anniversary date of a Service Addendum, at the time of any renewal, or any time thereafter but not more than once
annually. Service Provider will provide at least sixty (60) days notice of such pricing change. Client further agrees to pay any increases in fees,
and/or surcharges imposed by Service Provider’s vendors and subcontractors invoiced to Service Provider, as they may occur anytime during the term. The
prevailing party in any action to enforce the terms of this Agreement or any Service Addendum shall be entitled to an award of reasonable attorneys’
fees and costs. Client’s obligation to pay invoiced amounts is not subject to any offset, defense or counterclaim.
3. CONFLICTS. In the event of a conflict between the provisions of a Service Addendum and/or Local Country
Agreement and this Agreement, the provisions of this Agreement will control; provided, however, that the provisions of this Agreement will be so
construed to give effect to the applicable provisions of the Service Addendum or Local Country Agreement to the fullest extent possible.
4. DISCLAIMER OF WARRANTIES. EXCEPT AS OTHERWISE EXPRESSLY PROVIDED, SERVICE PROVIDER AND ITS AFFILIATES MAKE
NO AND DISCLAIM ANY AND ALL WARRANTIES AND REPRESENTATIONS WITH RESPECT TO THE SERVICES PROVIDED PURSUANT TO THIS AGREEMENT, WHETHER SUCH WARRANTIES
AND REPRESENTATIONS ARE EXPRESS OR IMPLIED IN FACT OR BY OPERATION OF LAW OR OTHERWISE, CONTAINED IN OR DERIVED FROM THIS AGREEMENT, ANY OTHER
DOCUMENTS REFERENCED IN THIS AGREEMENT, OR ANY OTHER MATERIALS OR COMMUNICATIONS WHETHER ORAL OR WRITTEN, INCLUDING WITHOUT LIMITATION IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND IMPLIED WARRANTIES ARISING FROM THE COURSE OF DEALING OR A COURSE OF PERFORMANCE
WITH RESPECT TO THE ACCURACY, VALIDITY, OR COMPLETENESS OF ANY SERVICE OR REPORT, INCLUDING BUT NOT LIMITED TO CONSUMER REPORTS, IF APPLICABLE (AS THAT
TERM IS DEFINED IN THE FAIR CREDIT REPORTING ACT).
5. INDEMNIFICATION. Client shall indemnify, defend and hold harmless Service Provider and its affiliates from
and against any and all claims, suits, proceedings, damages, costs, expenses (including, without limitation, reasonable attorneys’ fees and court
costs) brought against, or suffered by, any third party arising or resulting from, or otherwise in connection with Client’s: i) use or misuse of the
Consumer Reports and/or Services, as applicable, ii) breach of any of its representations, warranties, or agreements as stated herein or in any
applicable Service Addendum or Local Country Agreement, iii) negligence or willful misconduct iv) a Security Event, v) if applicable, the content of
any online job application hosted by Service Provider and/or vi) if applicable the administration of Client’s hiring criteria. A Security Event shall
be defined as the unauthorized acquisition or access of or to personally identifiable information made available through the provision of the Services,
including but not limited to that which is due to use by an unauthorized person or due to unauthorized use while in the possession or under the control
Service Provider shall indemnify, defend and hold harmless Client and its affiliates from and against any and all claims, suits, proceedings, damages,
costs, expenses (including, without limitation, reasonable attorneys’ fees and court costs) brought against, or suffered by, any third party arising or
resulting from, or otherwise in connection with Servicer Provider’s:
i) breach of any of its representations, warranties, or agreements as stated herein or in any applicable Service Addendum or Local Country Agreement,
and/or ii) negligence or willful misconduct.
6. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED HEREIN OR IN AN APPLICABLE SERVICE ADDENDUM OR LOCAL
COUNTRY AGREEMENT, NEITHER PARTY NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONTINGENT, CONSEQUENTIAL, PUNITIVE, EXEMPLARY,
SPECIAL OR SIMILAR DAMAGES, INCLUDING BUT NOT LIMITED TO, LOSS OF PROFITS OR LOSS OF DATA, WHETHER INCURRED AS A RESULT OF NEGLIGENCE OR OTHERWISE,
IRRESPECTIVE OF WHETHER THAT PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF THE INCURRENCE BY THE OTHER PARTY OF ANY SUCH DAMAGES. EXCEPT FOR CLAIMS FOR
DAMAGES ARISING FROM FRAUD, GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT, SERVICE PROVIDER’S LIABILITY DAMAGES INCURRED IN CONNECTION WITH SERVICES
PROVIDED PURSUANT TO THIS AGREEMENT, INCLUDING AS A RESULT OF ANY NEGLIGENCE ON THE PART OF THE SERVICE PROVIDER OR ITS AFFILIATES, SHALL NOT EXCEED
THE ANNUAL FEES PAID BY CLIENT TO SERVICE PROVIDER. FURTHER, SERVICE PROVIDER WILL HAVE NO LIABILITY FOR ANY CAUSE OF ACTION AGAINST SERVICE PROVIDER
WHICH BECAME KNOWN TO CLIENT, OR SHOULD HAVE BEEN KNOWN BY CLIENT WITH REASONABLE INVESTIGATION, WITHIN TWO (2) YEARS FROM THE EXPIRATION OR
TERMINATION OF THIS AGREEMENT, APPLICABLE SERVICE ADDENDUM OR LOCAL COUNTRY AGREEMENT BUT CLIENT FAILED TO PROVIDE ACTUAL NOTICE TO SERVICE PROVIDER
WITHIN SUCH TWO YEAR PERIOD AFTER THE EXPIRATION OR TERMINATION OF THIS AGREEMENT, THE APPLICABLE SERVICE ADDENDUM OR THE LOCAL COUNTRY AGREEMENT.
7. TAXES. Client understands that the charges and rates specified in a Service Addendum, Local Country
Agreement, Pricing Exhibit, or Scope of Services, do not include any amounts for taxes including without limitation any and all municipal, county,
state or federal sales, excise, personal property, consumption, value-added or other taxes, but excluding any taxes upon the income of Service
Provider. To the extent such taxes are or may become due in connection with the services or any payments made or received under any Service Addendum or
Local Country Agreement, Client agrees to pay such taxes. Client further agrees to reimburse Service Provider for any and all such taxes Service
Provider or one of its Affiliates is required to pay to applicable taxing authorities on Client’s behalf.
8. EARLY TERMINATION. Client may terminate this Agreement, any Service Addendum and/or Local Country Agreement
at its convenience, with or without cause, upon ninety (90) days prior written notice to Service Provider. Any and all fees related to custom
configuration or development service in conjunction with the Professional Services products and services may incur a cancellation fee for these costs,
if these services are cancelled. Client shall also remain liable for all fees directly related to third party fees (if applicable) in the event of a
cancellation. Service Provider may terminate or suspend, upon reasonable notice, this Agreement or Client’s right to receive any or all services under
this Agreement if Client fails to comply with the terms and conditions of this Agreement, any Service Addendum and/or Local Country Agreement,
including Client’s failure to make timely payments in accordance with applicable fee and payment terms. Service Provider may terminate or immediately
suspend this Agreement or Client’s right to receive any or all services under this Agreement if Client fails to comply with any law applicable to the
services provided to Client pursuant to this Agreement, any Service Addendum and/or Local Country Agreement. This Agreement shall automatically
terminate and be of no further force and effect if Client files any voluntary petition under any bankruptcy, reorganization or insolvency law of any
jurisdiction, consents to or applies for appointment of a trustee, receiver, custodian or similar official for itself or all or substantially all of
its assets, makes any assignment for the benefit of creditors or other arrangement or composition under any laws for the benefit of the insolvent,
adopts a resolution for discontinuance of its business or if an order for relief is entered against Client under any bankruptcy, reorganization or
insolvency law or any jurisdiction or any case, proceeding or other action seeking such order remains undismissed for thirty (30) days after its
9. FORCE MAJEURE. If any party fails to perform its obligations (except for payment obligations) because of
acts of God, inability to obtain labor or materials (including necessary data) or reasonable substitutes for labor or materials (including necessary
data), governmental restrictions, governmental regulations, governmental controls, judicial orders, enemy or hostile government action, civil
commotion, telecommunications failure (including, without limitation, Internet failures), fires or other casualty or causes beyond the reasonable
control of the party obligated to perform, then that party’s performance shall be excused provided that such party notifies the other party as soon as
practicable of the existence of such condition and uses its best efforts to resume performance in an expeditious manner.
10. NOTICES. Any notice or other communication required or permitted under this Agreement shall be
sufficiently given if delivered in person or sent by facsimile, by overnight courier of national reputation or by registered or certified mail, postage
prepaid, and addressed to the recipient party as identified on page 1 of this Agreement or such other address or number as shall be furnished in
writing by any such party, and such notice or communication shall, if properly addressed, be deemed to have been given as of the date delivered in
person or sent by facsimile, one day after deposition with an overnight courier or four (4) business days after deposition into the US mail.
(a) The term “Confidential Information” shall mean this Agreement and all data, trade secrets, business information and other information of any kind
whatsoever that one party hereto (“Discloser”) discloses, in writing, orally, visually or in any other medium, to the other party hereto (“Recipient”)
or to which Recipient obtains access and that relates to Discloser. A “writing” shall include an electronic transfer of information by e-mail, over the
Internet or otherwise. Each of the parties, as Recipient, hereby agrees that it shall not disclose Confidential Information of the Discloser to any
party during or after the Term of this Agreement, other than on a “need to know” basis and then only to: (i) Recipient’s employees; (ii) its agents and
consultants, provided that all such persons are subject to a written confidentiality agreement that shall be no less restrictive than the provisions of
this Section; and (iii) as required by law or as otherwise expressly permitted by this Agreement. Recipient shall not use or disclose Confidential
Information of the Discloser for any purpose other than to carry out this Agreement. Recipient shall treat Confidential Information of the Discloser
with no less care than it employs for its own Confidential Information of a similar nature that it does not wish to disclose, publish or disseminate,
but not less than a reasonable level of care. All Confidential Information and any results of processing Confidential Information or derived in any way
there from shall at all times remain the property of the Discloser.
(b) Upon expiration or termination of this Agreement for any reason or at the written request of Discloser during the Term of this Agreement, Recipient
shall promptly return to the Discloser, at such Discloser’s direction, all of Discloser’s Confidential Information in the possession of Recipient,
subject to and in accordance with the terms and provisions of this Agreement, except Recipient may retain a copy as required for regulatory compliance
or accounting purposes. To the extent legally permitted, Recipient shall notify Discloser of any actual or threatened requirement of law to disclose
Confidential Information promptly upon receiving actual knowledge thereof and shall reasonably cooperate with Discloser's reasonable, lawful efforts to
resist, limit or delay disclosure.
(c) The obligations of confidentiality in this Section shall not apply to any information that (i) Recipient rightfully has in its possession when
disclosed to it, free of obligation to Discloser to maintain its confidentiality; (ii) Recipient independently develops without access to Discloser’s
Confidential Information; (iii) is or becomes known to the public other than by breach of this Section by Recipient or (iv) is rightfully received by
Recipient from a third party without the obligation of confidentiality.
12. LOCAL COUNTRY AGREEMENTS. Notwithstanding anything in this Agreement to the contrary, all Services
provided pursuant to this Agreement outside of the United States and used outside of the United States shall, unless the Parties agree otherwise, be
provided on a local basis by a non-US Affiliate of Service Provider to a non-US Affiliate of Client, pursuant to a Local Country Agreement.
Concurrently with the execution of a Local Country Agreement, this Master Services Agreement shall be amended as mutually agreed by the Parties,
including, without limitation by amending the then-current Addendums hereto and by attaching appropriate Addendums designated as being applicable to a
particular Local Country Agreement
13. WAIVER; AMENDMENT. No change, waiver or discharge of this Agreement will be valid unless in writing and
executed by the party against whom such change, waiver or discharge is sought to be enforced. A waiver by either of the parties of any provision or
breach shall not be a waiver of a preceding or subsequent breach of the same or any other provision nor shall it be a waiver of any other provisions or
breach. This Agreement may not be amended orally but may only be amended in writing signed by both parties.
14. GOVERNING LAW. The interpretation and construction of this Agreement and all
matters relating hereto shall be governed by the laws of the State of Georgia applicable to agreements executed and to be performed solely within such
state exclusive of conflicts of laws principles.
15. SEVERABILITY. If any provision of this Agreement is held to be unenforceable, the remaining provisions
shall be unaffected. Each provision of this Agreement which provides for a limitation of liability, disclaimer of warranties, or exclusion of remedies
is severable from and independent of any other provision.
16. RELATIONSHIP OF PARTIES. Service Provider is acting only as an independent contractor. Neither party shall
act nor represent itself, directly or by implication, as an agent of the other. Each party shall be responsible for the direction and control of its
employees, subcontractors, and/or consultants and nothing under this Agreement shall create any relationship between the employees, subcontractors
and/or consultants of Service Provider and Client respectively.
17. NO THIRD PARTY BENEFICIARIES. Except as set forth in this section, this Agreement is for the benefit of
the parties hereto and is not intended to confer any rights or benefits on any third party, including any employee, shareholder or client of either
party hereto, and that no other person or entity shall have or acquire any right by virtue of this Agreement. The foregoing notwithstanding, the
affiliates of Service Provider are hereby expressly made third party beneficiaries of Sections 4 and 5 of this Agreement.
18. SURVIVAL. The provisions of Sections 3, 4, 5, 6, 10, 11, 13, 14, 16, 17, 18, 20, 25 and 28 of this
Agreement shall survive any termination or expiration of this Agreement.
19. ASSIGNMENT. Neither party may assign or transfer this Agreement or any rights or
obligations under this Agreement without the prior written consent of the non-assigning party, which shall not be unreasonably withheld.
20. PRESERVATION OF RIGHTS. The exercise of any rights of enforcement or other remedies stated herein shall
not preclude, or be deemed a waiver of, any other enforcement rights or remedies available to either Client or Service Provider under law or otherwise,
and each of Client or Service Provider expressly reserves its rights in respect of such additional rights and remedies.
21. ADDITIONAL DOCUMENTS. The parties hereto agree to execute
any additional documents reasonably required to effectuate the terms, provisions and purposes of this Agreement.
22. COUNTERPARTS. This Agreement may be executed in one or more counterparts, each of which shall be deemed to
be an original, and all such counterparts together shall constitute one and the same instrument and may be sufficiently evidenced by one counterpart.
Execution of this Agreement at different times and places by the parties hereto shall not affect the validity hereof.
23. CAPTIONS. The captions in this Agreement are solely for convenience of reference and shall not be given
any effect in the construction or interpretation of this Agreement.
24. REPRESENTATION OF AUTHORITY. Each party hereby represents and warrants that this Agreement has been duly
executed and delivered by an authorized signatory of such party and that this Agreement constitutes a legal, valid and binding obligation of each
party, enforceable against both parties in accordance with its terms, except as such enforceability may be limited by bankruptcy, insolvency or similar
laws and equitable principles relating to or affecting the right of credi tors generally from time to time in effect.
25. ENTIRE AGREEMENT. This Agreement, related Service Addendum(s), Local Country Agreement(s) and the exhibits
attached, hereto and thereto constitute the final, entire, and exclusive agreement between the parties with respect to the subject matter contained
herein and therein. There are no representations, warranties, understandings or agreements among the parties with respect to the subject matter
contained herein and therein, which are not fully expressed in the Agreement, Service Addendums, Local Country Agreements and/or the exhibits attached
hereto and thereto. This Agreement, the Service Addendums, the Local Country Agreements and the exhibits attached hereto and thereto supersede all
prior agreements and understandings between the parties with respect to such subject matter.
26. AFFILIATES. Each party shall ensure that each of its affiliates accepts and
complies with all of the terms and conditions of this Agreement as if each such affiliate were a party to this Agreement.
27. FACSIMILE SIGNATURE. The parties agree that this Agreement and all agreements and other documents to be
entered into in connection with this Agreement will be considered executed when the signature of a party is delivered by facsimile transmission. Such
facsimile signature shall be treated in all respects as having the same effect as an original signature.
28. PRESS RELEASES. Client may participate in press release and case studies regarding the business
relationship with Service Provider and use of Service Provider's services. Prior written notice of use shall be provided to Client by Service Provider
and Client's written approval is necessary for any press releases or case studies. Approval and consent by Client shall not be unreasonably withheld.
Press releases and case studies may include but will not be limited to Client's name and logo, brand, trademark or other reference to Client. Client
grants to Service Provider the right to use the Client's trademarks, for the term contained herein, in connection with press releases, case studies or
website marketing, advertisement, promotion, sale, and distribution of Service Provider's service.
BACKGROUND SCREENING SERVICE ADDENDUM
This Services Addendum (“Addendum”) is entered into as of “TODAY’S DATE” (the “Effective Date”) pursuant to the terms and conditions of the Master Services Agreement (“MSA”) entered into by the parties by and between ISB Global, with its principal place of business at 5881 Glenridge Drive, Suite 140, Atlanta, Georgia 30328 “Service Provider”) and (“Client”).
1. Description of Services. Client may order consumer reports (“Reports”) from Service Provider for “employment purposes” as that term is defined under the Fair Credit Reporting Act 15 USC 1681 et. seq. (“FCRA”) including but not limited to: evaluating the subject of the report (“Consumer”) for employment, promotion, reassignment, or retention as an employee, volunteer, or as an independent contractor (“Employment Purposes”). Client certifies that Client will order and use Reports for Employment Purposes only and for no other purpose. Reports contain the information and services listed in Services Addendum. Service Provider may modify Scope of Services at any time effective upon notice to Client.
2. Legal Compliance.
a. Client acknowledges that it will comply with applicable laws, rules and regulations when using Reports provided pursuant to this Addendum. Applicable laws shall include but not be limited to: the Fair Credit Reporting Act, the Americans With Disabilities Act, the Drivers Privacy Protection Act, the Gramm-Leach-Bliley Act and federal and state employment laws and other applicable laws including but not limited some state laws which limit the use of credit information in connection with employment decisions. Applicable laws shall also include all applicable national, provincial or local laws of foreign jurisdictions.
b. Client agrees that each time it orders a Report, the order constitutes Client’s reaffirmation of its certifications in “Employer Certification” (attached hereto as Exhibit A) and the “Access Security Requirements” (attached hereto as Exhibit B) with respect to such Report. Further, Client acknowledges that, upon unauthorized acquisition or access of or to personally identifiable information made available through the provision of the services, including but not limited to that which is due to use by an unauthorized person or due to unauthorized use while in the possession or under the control of Client (a "Security Event"), Client shall, in compliance with law, notify the individuals whose information was potentially accessed or acquired that a Security Event has occurred, and shall also notify any other parties (including but not limited to regulatory entities and credit reporting agencies) as may be required in Service Provider’s reasonable discretion. Client agrees that such notification shall not reference Service Provider or the product through which the data was provided, nor shall Service Provider be otherwise identified or referenced in connection with the Security Event, without Service Provider’s express written consent.
c. Client shall provide samples of all proposed materials to notify Consumers and any third- parties, including regulatory entities, to Service Provider for review and approval prior to distribution. Client shall be solely responsible for any other legal or regulatory obligations which may arise under applicable law in connection with such a Security Event and shall bear all costs associated with complying with legal and regulatory obligations in connection therewith. Client shall remain solely liable for claims that may arise from a Security Event,including, but not limited to, costs for litigation (including attorneys’ fees), and reimbursement sought by individuals, including but not limited to, costs for credit monitoring or allegations of loss in connection with the Security Event, and to the extent that any claims are brought against Service Provider, shall indemnify Service Provider from such claims
d. Client acknowledges it has received a copy of the Consumer Financial Protection Bureau (“CFPB”) “Summary of Consumer Rights” (attached hereto as Exhibit D), Notice to Users of Consumer Reports (attached hereto as Exhibit E), and “Using Consumer Reports: What Employers need to Know” http://www.ftc.gov/bcp/edu/pubs/business/credit/bu s08.shtm
e. In the event that Client orders a Reputational Media Search from Service Provider, the Client acknowledges and agrees that the results of such search do not constitute a “consumer report” as that term is defined in the Fair Credit Reporting Act (the “FCRA”). Accordingly, the results of such search may not be used in whole or in part as a factor in determining eligibility for employment or continued employment or another purpose in connection with which a consumer report may be used under the FCRA.
f. If Consumer Reports include Motor Vehicle Reports (“MVRs”), Client shall be responsible for understanding and for staying current with all specific state forms, certificates of use or other documents or agreements including any changes, supplements or amendments thereto imposed by the states (collectively referred to as “Specific State Forms”) from which it will order MVRs and agrees to the following:
(i) Comply with the DPPA and similar state statutes, including using MVRs only for purposes permitted by the DPPA and obtain the written authorization of the Consumer before ordering such MVR.
(ii) Client shall not retain or store any Service
Provider provided MVR, or portions of information contained therein, in any database or combine such information with data in any other database, provided that, Client may keep a copy of a Consumer’s MVR in the Consumer’s personnel/volunteer file.
(iii) As requested by Service Provider, Client shall complete any Specific State Forms that
Service Provider is legally or contractually bound to obtain from Client before serving Client with state MVRs and certifies that it has or will file such Specific State Forms required
by individual states.
(iv) With regard to Service Provider provided MVRs originating from the states of Pennsylvania, Washington, and West Virginia,
Client shall not disseminate or publish personal information contained in such MVRs via the Internet.
(v) Client shall not publish Virginia MVRs or any
information derived from Virginia MVRs via e- mail. However, Client may disseminate Virginia MVRs via the Internet through use of a secure Internet connection.
(vi) Prior to requesting any MVR from the State of Washington, Client agrees (i) to obtain from the Consumer a written statement authorizing the release of the MVR and (ii) execute an attestation that the information in the MVR is necessary to determine whether the individual should be employed to operate a school bus, commercial vehicle or for employment purposes related to driving by an individual as a condition of that individual’s employment upon public highways, or otherwise at the direction of the employer. A commercial vehicle is defined as any vehicle the principal use of which is the transportation of commodities, merchandise, produce, freight, animals, or passengers for hire as defined in RCW 46.04.140. Service Provider will provide a copy of the required release and attestation to the Client. Client agrees to retain each release and attestation for a period of not less than two (2) years. Any MVR received from the State of Washington must be deleted within one (1) year, of receipt unless longer retention is required by Federal law.
(vii) If Client orders an MVR from the Commonwealth of Virginia, Client must retain the Consumer’s authorization for at least three (3) years after the date the MVR was requested. Any Virginia motor vehicle data
shall be considered Confidential Information as defined by Virginia statutes. Any unauthorized disclosure and misuse of Virginia motor vehicle data or any information derived there from shall be subject to the penalties set forth in VA Code §§ 46.2-208 through 46.2-216.2 and § 46.2-380 and the DPPA. Client agrees to make available to Virginia Interactive, Virginia Department of Motor Vehicles (collectively, the “Virginia DMV”), or the authorized representative of either of them, at any reasonable time, documentation of each and every inquiry and Virginia motor vehicle data access made. Client shall indemnify and hold the Virginia DMV harmless for any unauthorized disclosure and/or misuse of Virginia motor vehicle data by Client.
(viii) With regard to MVR data originating from the state of West Virginia, Client shall indemnify the state of West Virginia from any wrongful use of the MVR data.
(ix) When ordering an MVR on an individual under the age of eighteen (18) from the State of Hawaii, Client must order the MVR manually from the State. Client must mail an original executed Juvenile Information Release Form, and a check to: Traffic Violations Bureau, Attn: Abstract Department, 1111 Alakea Street, Honolulu, HI 96813.
(x) If Client orders MVRs from the State of Indiana, Client shall not retain such MVRs except as integrated into the intended use, and Client must permanently destroy all such MVRs once they have been put to their intended use, except as otherwise required to be maintained for auditing purposes. As required by Ind. Code § 24-4.9-3-3.5 (c), Client shall not dispose of records or documents containing unencrypted and/or un-redacted personal information of Indiana residents without shredding, incinerating, mutilating,
erasing, or otherwise rendering the personal information illegible or unusable. Client shall not disseminate Indiana MVRs except within the Client’s organization and only by a secure means. Client agrees to indemnify In.gov and the State of Indiana from all losses damages, judgments, liabilities, costs and expenses (including, but not limited to cost of notice), that arise out of the Client’s misuse, misappropriation, or any other act or omission with respect to laws restricting access to and/or disclosure of Indiana MVRs. Client must maintain, and make available for inspection by the State of Indiana or its designees, upon request, for at least 5 years, records concerning 1) each person or entity that received the information contained in Indiana MVRs, and 2) the permitted use for which such information was obtained and revealed.
If Client orders MVRs from the State of New Mexico, Client shall report to Service Provider the following occurrences promptly upon the discovery of: (a) any known misuse of and/or breach of security or confidentiality involving a New Mexico MVR furnished to Client; (b) any litigation or notice of claim involving the content or handling of a New Mexico MVR furnished to Client (such an occurrence shall be reported by Client to Service Provider within three (3) business days of service of process); or (c) any non-monetary breach of the Agreement by Client (such an occurrence shall be reported by Client to Service Provider within five (5) business days of discovering such breach). End Users shall be capable of generating, within seven (7) days of a request by Service Provider or the New Mexico MVD, a history of its disclosures over time of any New Mexico MVRs obtained under this Agreement. The use of New Mexico MVRs is restricted to use, one time, for a legitimate purpose. Client must destroy all such records remaining in its possession when they are no longer needed for Client’s purposes after its use or as required by State or Federal law. Client agrees to destroy the New Mexico MVRs (except insofar as the information is incorporated into the permitted use) after their use. Client agrees to indemnify, hold harmless, and release NM Interactive and the State of New Mexico and their employees, agents and contractors from and against any and all loss, damages of any kind, liability, court awards, suits and proceedings, including costs, expenses and attorneys’ fees, arising from the performance, disclosure, or use of any data contained in any New Mexico MVRs by Client, its officers, agents, volunteers or employees, except insofar (with respect to indemnity, hold harmless and release of the State of New Mexico) as they may result from the actions or inactions of the State of New Mexico, its agencies, employees, contractors or subcontractors; and except insofar (with respect to indemnity, hold harmless and release of NM Interactive) as they may result from the actions or inactions of NM Interactive, its parent corporation, its subsidiaries, officers, agents, contractors, subcontractors, or employees.
(xi) If Client orders a MVR from the state of Nebraska or Utah on a Consumer for a volunteer position, Client shall have the written authorization of the Consumer notarized.
For uses of DPPA Data, Client shall maintain for a period of five (5) years a complete and accurate (including Consumer identity, purpose and, if applicable, Consumer authorization, pertaining to every access to such data. DPPA Data shall be defined as “personal information,” as defined in the Drivers Privacy Protection Act, (18 U.S.C. § 2721 et seq.) and related state laws (the “DPPA”), and that is regulated by the DPPA (“DPPA Data”).
g. Client certifies that it shall hold the Report in strict confidence and not disclose the Report to any party not involved in the current employment decision. Furthermore, Client shall not use the data from the Report to create, compile, or maintain a database other than for internal business purposes only.
h. Client shall comply with all relevant privacy and antidiscrimination laws in using any information provided by Service Provider. Any adjudication matrix or instructions relating to Client’s use of the Candidate Data Capture system that Client has provided to Service Provider for use in adjudicating background reports or implementing the services provided by such system have been reviewed by Client’s legal counsel and comply with federal, state, and local privacy and anti-discrimination laws, including but not limited to Title VII of the Civil Rights Act of 1964, 42 U.S.C. §§ 2000e et seq.; New York State General Business Law §§ 380 et seq.; New York Executive Law §§ 296(1), (15) and (16); New York Correction Law §§ 752-53; and New York City Administrative Code § 8-107(10). Client acknowledges that Service Provider has provided the “Notice to Clients Operating Within the State of New York”, attached hereto as Exhibit C. Client is advised to review such Exhibit prior to its execution of this Agreement.
i. Client shall comply with the Vermont Fair Credit Reporting Act, 9 V.S.A. § 2480e, by securing the written consent of the Consumer prior to ordering a Consumer Report on a Vermont resident.
j. In the event that User is intending to include in its adverse action letter the notice required by Section 380g of the New York General Business Law, User acknowledges and agrees that the Services only fulfill the requirements of New York law to the extent that the inclusion of a criminal record in a Consumer Report would result in an adverse action against the Consumer. User acknowledges and agrees that it shall retain responsibility for the delivery of any and all notices required by New York law under any other circumstances.
a. Client agrees it is the end-user of all Reports, and will not resell, sub-license, deliver, display, or otherwise distribute any Report, or provide any information in any Report, to any third party, except to the Consumer or as otherwise required under law.
b. Client shall not use the data from a Report supplied by Service Provider to directly or indirectly compile, store, or maintain the data to develop its own source or database of Consumer Reports. Client agrees not to market the Consumer Reports through the Internet. Client represents and warrants that Client’s use of the Reports shall be for only legitimate business purposes relating to its business and as otherwise governed by this Agreement and for employment purposes only.
c. Service Provider may impose additional requirements in order to comply with changes in laws, regulations or as required under the circumstances. Client agrees to comply with all such additional requirements after Client has received notice of the same and any additional fees or costs for such compliance shall be passed through to Client. Service Provider may at any time mask or cease to provide Client access to any services or portions thereof which Service Provider may deem, in Service Provider’s sole discretion, to be sensitive or restricted information due to legal, regulatory or other required obligations.
d. Client shall not remove or obscure the copyright notice or other notices contained on materials assessed through the services.
e. Client shall train employees prior to allowing access to services on Client’s obligations under this Agreement, including but not limited to, the requirements and restrictions under this Section 3 and the security requirements of Exhibit B. Client shall conduct a similar review of its obligations under this Agreement with existing employees who have access to services no less than annually. Client shall keep records of such training.
4. Fees. Client shall pay Service Provider for all services as outlined in Services Addendum.
5. Intellectual Property. Client agrees that Client shall not reproduce, retransmit, republish, or otherwise transfer for any commercial purposes the information delivered as part of the services, programs or computer applications. Client acknowledges that Service Provider (and/or their third-party data providers) shall retain all right, title, and interest under applicable contractual, copyright, patent, trademark, trade secret and related laws in and to the services and the data and information that they provide.
6. Exhibits/Addendums. The following exhibits and addendums are attached hereto and incorporated by reference herein.
Exhibit A – Employer Certification
Exhibit B – Access Security Requirements
Exhibit C – Statutory Summary: A Notice to Clients Operating Within the State of New York
Exhibit D – Summary of Consumer Rights
Exhibit E – Notice to Users of Consumer Report
As a condition to ordering and obtaining consumer reports from ISB Global Services Inc. (“Service Provider”), “Client” (defined as the employer/company identified below), agree as follows:
1. Client certifies that the nature of its business is:
2. Client orders Consumer Reports from Service Provider for the following purposes under the FCRA and as such reports will not be used for any other purpose:
Please check all that apply:
Employment (which includes hiring, promotion, assignment, and retention decisions):
3. Client certifies to Service Provider that with respect to each consumer report (“report”) ordered from Service Provider:
a. It will use such report solely for employment purposes and for no other purpose. Employment purposes include the evaluation of the subject of the report for employment, promotion, reassignment, or retention as an employee, volunteer
or independent contractor. The subject of the report (“Applicant”) includes any consumer who is an applicant, potential
employee or employee.
b. Prior to ordering the report, or causing the report to be ordered:
i. Client has made a clear and conspicuous written disclosure to the Applicant, in a document consisting solely of the disclosure, that a report may be obtained for employment purposes; and
ii. Client has obtained the Applicant’s written authorization to obtain the report; such authorization may be in the same document as the disclosure.
c. Prior to taking any adverse action based in whole or in part on the report, Client will provide the following to the Applicant:
i. A copy of the report; and
ii. A written description of the rights of the Applicant under the Fair Credit Reporting Act (“FCRA”) as prescribed by the Consumer Financial Protection Bureau (“FCRA Summary of Rights”). Service Provider has provided Client a copy of the FCRA Summary of Rights, and it can be obtained from Service Provider’s website or the CFPB’s website (http://www.consumerfinance.gov/).
d. Before Client takes any adverse action against the Applicant based in whole or in part on the report, Client shall give the Applicant a reasonable amount of time after the copy of the report and FCRA Summary of Rights have been received to dispute the accuracy and completeness of the information in the report.
e. If Client takes any adverse action with respect to the Applicant based in whole or in part on any information in the report, it will provide the Applicant with all of the following:
i. Notice of the adverse action;
ii. Service Provider’s name, address, and toll-free telephone number;
iii. A statement that Service Provider did not make the decision to take the adverse action and is unable to provide the Applicant the specific reasons why the adverse action was taken;
iv. Notice of the Applicant’s right to obtain a free copy of the report from Service Provider if, within 60 days after receipt of the notice, he or she requests a copy from Service Provider; and
v. Notice of the Applicant’s right under the FCRA to dispute with Service Provider the accuracy or completeness of any information in the report.
f. Client will not use any information in the report in violation of any applicable Federal or State equal employment opportunity law or regulation.
4. In some cases, Client may order a report from Service Provider for employment purposes that would also constitute an “investigative consumer report.” (In general, an investigative consumer report is one in which information has been obtained through personal interviews with friends, neighbors, or associates of the Applicant or others with whom the Applicant is acquainted or who may have knowledge concerning any such items of information, and the information is more than just a verification of facts.) In the event that Client orders from Service Provider any investigative consumer report, then in addition to the other certifications herein, Client certifies as follows with respect to each investigative consumer report ordered:
a. Not later than 3 days after the date of requesting such report from Service Provider, Client will mail or otherwise deliver a written disclosure to the Applicant containing the following information:
i. A statement that clearly and accurately discloses that an investigative consumer report on the Applicant may be made and such report may contain information as to his or her character, general reputation, personal characteristics and mode of living (as applicable); and
ii. A statement informing the Applicant of his or her right to request in writing additional disclosures about the nature and scope of the investigation and a written summary of rights (FCRA Summary of Rights).
b. Upon written request by the Applicant within a reasonable period of time following the Applicant’s receipt of the disclosure referred to in subsection a. above, Client shall make a complete and accurate written disclosure of the nature and scope
of the investigation requested. Client will mail or otherwise deliver the nature and scope disclosure to the Applicant not later than 5 days after the date on which the request for such disclosure was received from the Applicant or such investigative consumer report was first requested, whichever is later.
5. If Client operates in California or orders a report on a California resident, in addition to the other certifications herein Client hereby certifies for each California report ordered from Service Provider that:
a. Client will identify Service Provider including the name, address, and telephone number to the Applicant when it provides
b. It will provide a disclosure with a box that can be checked by the Applicant to indicate that he/she wants to obtain a free copy of the Report and Client will send such a copy within three (3) business days of Client’s receipt of the Report if the
box is checked; and
c. Client will provide the Applicant a summary of his or her rights under California Civil Code Section 1786.22.
d. Client is not a retail seller, as defined in Section 1802.3 of the California Civil Code and does not issue credit to consumers who appear in person on the basis of applications for credit submitted in person. Furthermore, if Client
becomes a Retail Seller who extends credit in Point of Sale transactions, Client agrees to provide written notice of such to Service Provider prior to using credit reports with Point of Sale transactions as a Retail Seller, and will comply with the
requirements of a Retail Seller conducting Point of Sale transactions, as provided in the California Civil Code.
6. Client is aware that in addition to the FCRA and other federal laws, state laws may be applicable to the ordering and use of consumer and/or investigative consumer reports, including but not limited some state laws which limit the use of credit information in connection with employment, and agree to comply with all applicable federal and state laws and any changes or revisions to such laws.
7. Client certifies to Service Provider that with respect to each driving record information or motor vehicle report ordered from Service Provider, it will comply with each of the above requirements relating to consumer reports, and will also comply with the Driver's Privacy Protection Act of 1994 and any of its amendments in ordering and use of the driving record information or motor vehicle report.
8. Client agrees that all certifications and agreements herein are of a continuing nature and are intended to apply to each consumer and/or investigative consumer report ordered from Service Provider. Client agrees to keep all documentation signed by the Applicant required herein for at least 5 years after the date of the report to which such documentation relates and to provide Service Provider copies upon request.
9. In the event that Client is intending to include in its adverse action letter the notice required by Sect ion 380g of the New York General Business Law, Client acknowledges and agrees that the adverse action letter mailing services, if subscribed to with Service Provider, only fulfill the requirements of New York law to the extent that the inclusion of a criminal record in a Consumer Report would result in an adverse action against the Consumer. Client acknowledges and agrees that it shall retain responsibility for the delivery of any and all notices required by New York law under any other circumstances.
Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses, shall be fined under title 18, United States Code, imprisoned for not more than 2 years, or both.
GLBA PERMISSIBLE PURPOSE
Some services may use and/or display nonpublic personal information that is governed by the privacy provisions of the Gramm-Leach- Bliley Act (15 U.S.C. § 6801 et seq.) and its implementing regulations. Client certifies it has the written consent of the Consumer, in accordance with 15 U.S.C. 16816, and Client further certifies it will use such information obtained from services only for the purpose(s) to which such Client has consented. Client acknowledges and agrees that it will recertify its permissible uses of GLBA Data upon request by Service Provider. Client certifies with respect to GLBA Data received through the Services that it complies with the Interagency Standards for Safeguarding Customer Information issued pursuant to the GLBA.
DPPA PERMISSIBLE USES
Some services may use and/or display personal information, the use of which is governed by the Drivers Privacy Protection Act (18
U.S.C. § 2721 et seq.) and related state laws (collectively, “DPPA”). Client certifies it has the written consent of the Consumer to which the information pertains and further certifies it will use such information obtained from services only for the purpose(s) to which such Consumer has consented. The text of the DPPA may be found at http://uscode.house.gov/download/pls/18C123.txt. Client acknowledges and agrees that it will recertify, in writing, its permissible uses of DPPA Data upon request by Service Provider.
I, ON BEHALF OF THE CLIENT, HEREBY AGREE TO COMPLY WITH THE EMPLOYER CERTIFICATION NOTED HEREIN. I FURTHER CERTIFY THAT I HAVE DIRECT KNOWLEDGE OF THE FACTS CERTIFIED HEREIN AND AM AUTHORIZED BY THE CLIENT TO AGREE TO THESE ITEMS HEREIN ON ITS BEHALF.
Access Security Requirements
It is a requirement that all clients and end users take precautions to secure any system or device used to access consumer cr edit information. To that end, the following requirements have been established:
1. Implement Strong Access Control Measures
1.1 Client account numbers and passwords must be protected in such a way that this sensitive information is known only to key personnel. Under no circumstances should unauthorized persons have knowledge of passwords. The information
should not be posted in any manner within Client’s facility. Do not provide account numbers, Subscriber Codes or
passwords to anyone.
1.2 Any system access software used, whether developed by Client’s company or purchased from a third party vendor, must have account numbers and passwords “hidden” or embedded so that the password is known only to supervisory personnel.
1.3 Each user of Client’s system access software must then be assigned unique log-on passwords. Develop strong passwords that are:
• Not easily guessable (i.e. user name or company name, repeating numbers and letters or consecutive numbers and letters)
• obtain a minimum of seven (7) alpha/numeric characters for standard user accounts
• Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations.
• Active logins to credit information systems must be configured with a 30 minute inactive session, timeout.
1.4 Client must request that account number, Subscriber Code and/or password be changed immediately when:
• Any system access software is replaced by another system access software or
• is no longer used;
• The hardware on which the software resides is upgraded, changed or disposed of.
1.5 Account numbers and passwords are not to be discussed by telephone to any unknown caller, even if the caller claims to be an employee.
1.6 Create a separate, unique user ID’s for each user to enable individual authentication and accountability for access to the credit reporting agency’s infrastructure. Each user of the system access software must also have a unique logon password.
1.7 Ensure that user IDs are not shared and that no Peer-to-Peer file sharing is enabled on those users’ profiles.
1.8 The ability to obtain credit information must be restricted to a few key personnel.
1.9 Ensure that Client and Client’s employees do not access personal credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.
1.10 Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.
1.11 Any terminal devices used to obtain credit information should be placed in a secure location within Client’s facility. Access to the devices should be difficult for unauthorized persons.
1.12 Any devices/systems used to obtain consumer reports should be turned off and locked after normal business hours, when unattended by key personnel.
1.13 Consumer reports containing personally identifiable information should not be downloaded onto a laptop computer or other mobile device.
1.14 Hard copies and electronic files of consumer reports are to be secured within Client’s facility and protected against release or disclosure to unauthorized persons.
1.15 Hard copy consumer reports are to be shredded or destroyed, rendered unreadable, when no longer needed and when it is permitted to do so by applicable regulations(s).
1.16 Electronic files containing consumer report data and/or information will be completely erased or rendered unreadable when no longer needed and when destruction is permitted by applicable regulation(s).
1.17 Software cannot be copied. Software is issued explicitly to Client solely to access reports for permissible purposes.
1.18 Client employees will be forbidden to attempt to obtain credit reports on themselves, associates or any other persons, except in the exercise of their official duties.
2. Maintain a Vulnerability Management Program
2.1 Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates.
2.2 Configure infrastructure such as Firewalls, Routers, personal computers, and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
2.3 Implement and follow current best security practices for Computer Virus detection scanning services and procedures:
• Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks.
• If Client suspects an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
• On a weekly basis at a minimum, keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files.
2.4 Implement and follow current best security practices for computer anti-Spyware scanning services and procedures:
• Use, implement and maintain a current, commercially available computer anti-Spyware scanning product on all computers, systems and networks.
• If Client suspects actual or potential Spyware, immediately cease accessing the system and do not resume the inquiry process until the problem has been resolved and eliminated.
• Run a secondary anti-Spyware scan upon completion of the first scan to ensure all Spyware has been removed from Client’s computers.
• Keep anti-Spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti- Spyware definition files weekly, at a minimum. If Client’s computers have unfiltered or unblocked access to the Internet (which prevents access to some known problematic sites), then it is recommended that anti-Spyware scans be completed more frequently than weekly.
3. Protect Data
3.1 Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.)
3.2 All credit reporting agency data is classified as confidential and must be secured to this requirement at a minimum.
3.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
3.4 Encrypt all credit reporting agency data and information when stored on any laptop computer and in the database using AES or 3DES with 128-bit key encryption at a minimum.
3.5 Only open email attachments and links from trusted sources and after verifying legitimacy.
4. Maintain an Information Security Policy
4.1 Develop and follow a security plan to protect the Confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule.
4.2 Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators.
4.3 The FACTA Disposal Rules requires implementation of appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
4.4 Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within Client’s organization.
5. Build and Maintain a Secure Network
5.1 Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.
5.2 Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
5.3 Administrative access to Firewalls and servers must be performed through a secure internal wired connection only.
5.4 Any standalone computers that directly access the Internet must have a desktop Firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.
5.5 Encrypt Wireless access points with a minimum of WEP 128 bit encryption, WPA encryption where available.
5.6 Disable vendor default passwords, SSIDs and IP Addresses on Wireless access points and restrict authentication on the configuration of the access point.
6. Regularly Monitor and Test Networks
6.1 Perform regular tests on information systems (port scanning, virus scanning, vulnerability scanning).
6.2 Use current best practices to protect telecommunications systems and any computer system or network device(s) used to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:
• protecting against intrusions;
• securing the computer systems and network devices;
• protecting against intrusions of operating systems or software
I, ON BEHALF OF THE CLIENT, HEREBY AGREE TO COMPLY WITH THE ACCESS SECURITY REQUIREMENTS NOTED HEREIN. I FURTHER CERTIFY THAT I HAVE DIRECT KNOWLEDGE OF THE FACTS CERTIFIED HEREIN AND AM AUTHORIZED BY THE CLIENT TO AGREE TO THESE ITEMS HEREIN ON ITS BEHALF.
This document is intended only as a general summary of certain requirements of these statutes. Our goal is to update this in formation periodically. The information contained in this document is provided for information purposes only and does not constitute legal advice. Service Provider strongly encourages its customers to consult with legal counsel regarding the applicability and effect of all of these laws.
Title VII of the Civil Rights Act of 1964
42 U.S.C. §§ 2000e et seq.
· In interpreting Title VII, the Equal Employment Opportunity Commission takes the position that excluding applicants from consideration for employment on the basis of their arrest or conviction records creates a rebuttable presumption of an unlawful adverse impact on Black and Hispanic applicants.
Federal Fair Credit Reporting Act
15 U.S.C. §§ 1681 et seq.
· Prohibits the reporting of records of arrest older than seven years or until the governing statute of limitations has expired, whichever is longer.
· Prohibits the reporting of certain other adverse items of information older than seven years.
New York State Fair Credit Reporting Act
N.Y. Gen. Bus. Law §§ 380 et seq.
· Prohibits the reporting of records of arrest or criminal charges unless there has been a criminal conviction for such offense, or unless such charges are still pending.
· Prohibits the reporting of records of convictions of crimes which, from the date of disposition, release, or parole, are older than seven years.
· Prohibits the reporting of certain other adverse information older than seven years.
New York Labor Law
N.Y. Labor Law § 201-f
· Requires employers in the state of New York to conspicuously post a copy of article 23-A of the correction law and any regulations promulgated thereunder relating to the licensure and employment of persons previously convicted of one or more criminal offenses.
New York Human Rights Law
N.Y. Exec. Law §§ 296(1), (15) and (16)
· Prohibits an employer from refusing to hire or employ a person, or from barring or discharging a person, or from discriminating against a person in compensation or in terms, conditions or privileges of employment based on the person’s age, race, creed, color, national origin, sexual orientation, military status, sex, disability, predisposing genetic characteristics, marital status, or domestic violence victim status.
· Limits the circumstances in which an individual may be denied employment by reason of his or her having been convicted of a criminal offense to those set forth in N.Y. Correction Law §§ 752-53.
· Prohibits an employer from making an inquiry about or acting adversely with respect to an individual based on a non-pending arrest or criminal accusation of such individual that was followed by a termination of that action or proceeding in favor of such individual (such as most convictions for violations, sealed convictions or dismissed charges).
New York Correction Law
N.Y. Correction Law §§ 752-53
· Prohibits an employer, except under limited circumstances, from denying an application or acting adversely upon an employee based upon the applicant’s or employee’s having been convicted of one or more criminal offenses, or by reason of a finding of lack of “good moral character” when such finding is based upon the fact that the individual has been convicted of a criminal offense.
· Requires employers to consider, among other things, whether there is a direct relationship between the criminal offense and the type of employment sought, whether the individual has been issued a certificate of relief or a certificate of good conduct, and eight specific factors listed in Section 753. Among the eight factors are the duties and responsibilities of the position; the bearing of the offense on the applicant’s ability to perform the responsibilities; the time that has elapsed since the offense; the age of the person at the time of the offense; the seriousness of the offense; information produced by the applicant regarding his or rehabilitation and good conduct; and the legitimate interest of the employer in protecting property and the safety and welfare of individuals or the public. In making a determination, the employer shall give consideration to a certificate of relief from disabilities or a certificate of good conduct, which shall create a presumption of rehabilitation.
New York City Administrative Code § 8-107(10)
N.Y. City Admin. Code § 8-107(10)
· Prohibits employment practices that violate N.Y. Correction Law §§ 752-53.
Para informacion en espanol, visite www.consumerfinance.gov/learnmore o escribe a la Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
The federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. There are many types of consumer reporting agencies, including credit bureaus and specialty agencies (such as agencies that sell information about check writing histories, medical records, and rental history records). Here is a summary of your major rights under the FCRA. For more information, including information about additional rights, go to www.consumerfinance.gov/learnmore or write to: Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
• You must be told if information in your file has been used against you. Anyone who uses a credit report or another type of consumer report to deny your application for credit, insurance, or employment – or to take another adverse action against you
– must tell you, and must give you the name, address, and phone number of the agency that provided the information.
• You have the right to know what is in your file. You may request and obtain all the information about you in the files of a consumer reporting agency (your “file disclosure”). You will be required to provide proper identification, which may include your Social Security number. In many cases, the disclosure will be free. You are entitled to a free file disclosure if:
• a person has taken adverse action against you because of information in your credit report;
• you are the victim of identity theft and place a fraud alert in your file;
• your file contains inaccurate information as a result of fraud;
• you are on public assistance;
• you are unemployed but expect to apply for employment within 60 days.
In addition, all consumers are entitled to one free disclosure every 12 months upon request from each nationwide credit bureau and from nationwide specialty consumer reporting agencies. See www.consumerfinance.gov/learnmore for additional information.
• You have the right to ask for a credit score. Credit scores are numerical summaries of your credit-worthiness based on information from credit bureaus. You may request a credit score from consumer reporting agencies that create scores or distribute scores used in residential real property loans, but you will have to pay for it. In some mortgage transactions, you will receive credit score information for free from the mortgage lender.
• You have the right to dispute incomplete or inaccurate information. If you identify information in your file that is incomplete or inaccurate, and report it to the consumer
reporting agency, the agency must investigate unless your dispute is frivolous. See www.consumerfinance.gov/learnmore for an
explanation of dispute procedures.
• Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information. Inaccurate, incomplete or unverifiable information must be removed or corrected, usually within 30 days. However, a consumer reporting agency may continue to report information it has verified as accurate.
• Consumer reporting agencies may not report outdated negative information. In most cases, a consumer reporting agency may not report negative information that is more than seven years old, or bankruptcies that are more than 10 years old.
• Access to your file is limited. A consumer reporting agency may provide information about you only to people with a valid need – usually to consider an application with a creditor, insurer, employer, landlord, or other business. The FCRA specifies those with a valid need for access.
• You must give your consent for reports to be provided to employers. A consumer reporting agency may not give out information about you to your employer, or a potential employer, without your written consent given to the employer. Written consent generally is not required in the trucking industry. For more information, go to www.consumerfinance.gov/learnmore.
• You may limit “prescreened” offers of credit and insurance you get based on information in your credit report. Unsolicited “prescreened” offers for credit and insurance must include a toll-free phone number you can call if you choose to remove your name and address from the lists these offers are based on. You may opt-out with the nationwide credit bureaus at 1-888-567-8688.
• You may seek damages from violators. If a consumer reporting agency, or, in some cases, a user of consumer reports or a furnisher of information to a consumer reporting agency violates the FCRA, you may be able to sue in state or federal court.
• Identity theft victims and active duty military personnel have additional rights. For more information, visit www.consumerfinance.gov/learnmore.
States may enforce the FCRA, and many states have their own consumer reporting laws. In some cases, you may have more rights under state law. For more information, contact your state or local consumer protection agency or your state Attorney General. For information about your federal rights, contact:
TYPE OF BUSINESS
1.a. Banks, savings associations, and credit unions with total assets of over $10 billion and their affiliates.
b. Such affiliates that are not banks, savings associations, or credit unions also should list, in addition to the CFPB:
a. Consumer Financial Protection Bureau
1700 G Street NW
Washington, DC 20552
b. Federal Trade Commission: Consumer Response Center-FCRA
Washington, DC 20580
2. To the extent not included in item 1 above:
a. National banks, federal savings associations, and federal branches and federal agencies of foreign banks
b. State member banks, branches and agencies of foreign banks (other than federal branches, federal agencies, and Insured State Branches of Foreign Banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act
c. Nonmember Insured Banks, Insured State Branches of Foreign Banks, and insured state savings associations
d. Federal Credit Unions
a. Office of the Comptroller of the Currency
Customer Assistance Group
1301 McKinney Street, Suite 3450
Houston, TX 77010-9050
b. Federal Reserve Consumer Help Center
P.O. Box 1200
Minneapolis, MN 55480
c. FDIC Consumer Response Center
1100 Walnut Street, Box #11
Kansas City, MO 64106
d. National Credit Union Administration
Office of Consumer Protection (OCP)
Division of Consumer Compliance and Outreach (DCCO)
1775 Duke Street
Alexandria, VA 22314
3. Air Carriers
Asst. General Counsel for Aviation Enforcement & Proceedings
1200 New Jersey Avenue, SE
Washington, DC 20590
4. Creditors Subject to Surface Transportation Board Office of Proceedings, Surface Transportation Board
Department of Transportation
395 E Street S.W.
Washington, DC 20423
5. Creditors Subject to Packers and Stockyards Act, 1921
Nearest Packers and Stockyards Administration area supervisor
6. Small Business Investment Companies
Associate Deputy Administrator for Capital Access
United States Small Business Administration
409 Third Street, SW, 8th Floor
Washington, DC 20416
7. Brokers and Dealers
Securities and Exchange Commission
100 F St NE
Washington, DC 20549
8. Federal Land Banks, Federal Land Bank Associations, Federal Intermediate Credit Banks, and Production Credit Associations
Farm Credit Administration
1501 Farm Credit Drive
McLean, VA 22102-5090
9. Retailers, Finance Companies, and All Other Creditors Not Listed Above
FTC Regional Office for region in which the creditor operates
or Federal Trade Commission: Consumer Response Center- FCRA
Washington, DC 20580
All users of consumer reports must comply with all applicable regulations. Information about applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau’s website, www.consumerfinance.gov/learnmore.
NOTICE TO USERS OF CONSUMER REPORTS: OBLIGATIONS OF USERS UNDER THE FCRA
The Fair Credit Reporting Act (FCRA), 15 U.S.C. §1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Consumer Financial Protection Bureau’s (CFPB) website at www.consumerfinance.gov/learnmore. At the end of this document is a list of United States Code citations for the FCRA. Other information about user duties is also available at the CFPB’s website. Users must consult the relevant provisions of the FCRA for details about their obligations under the FCRA.
The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or that are used for certain purposes, and the legal consequences of violations. If you are a furnisher of information to a consumer reporting agency (CRA), you have additional obligations and will receive a separate notice from the CRA describing your duties as a furnisher.
A. Users Must Have a Permissible Purpose
Congress has limited the use of consumer reports to protect consumers’ privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:
• As ordered by a court or a federal grand jury subpoena. Section 604(a)(1)
• As instructed by the consumer in writing. Section 604(a)(2)
• For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account. Section 604(a)(3)(A)
• For employment purposes, including hiring and promotion decisions, where the consumer has given written permission. Sections 604(a)(3)(B) and 604(b)
• For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C)
• When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(a)(3)(F)(i)
• To review a consumer’s account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii)
• To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status. Section 604(a)(3)(D)
• For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E)
• For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof. Sections 604(a)(4) and 604(a)(5)
In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of “prescreened” information are described in Section VII below.
Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.
The term “adverse action” is defined very broadly by Section 603. “Adverse actions” include all business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined by Section 603(k) of the FCRA – such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.
If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be done in writing, orally, or by electronic means. It must include the following:
• The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report.
• A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made.
• A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer makes a request within 60 days.
• A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.
If a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type of consumer information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification. The user must provide the disclosure within a reasonable period of time following the consumer’s written request.
If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above.
When a consumer has placed a fraud alert, including one relating to identity theft, or an active duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active duty alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the identity of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in the consumer’s alert.
Section 605(h) requires nationwide CRAs, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer’s file. When this occurs, users must comply with regulations specifying the procedures to be followed. Federal regulations are available at www.consumerfinance.gov/learnmore.
Section 628 requires that all users of consumer report information have in place procedures to properly dispose of
records containing this information. Federal regulations have been issued that cover disposal.
If a person uses a consumer report in connection with an application for, or a grant, extension, or provision of, credit to a consumer on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person must provide a risk-based pricing notice to the consumer in accordance with regulations prescribed by the CFPB.
Section 609(g) requires a disclosure by all persons that make or arrange loans secured by residential real property (one to four units) and that use credit scores. These persons must provide credit scores and other information about credit scores to applicants, including the disclosure set forth in Section 609(g)(1)(D) (“Notice to the Home Loan Applicant”).
A. Employment Other Than in the Trucking Industry
If the information from a CRA is used for employment purposes, the user has specific duties, which are set forth in Section 604(b) of the FCRA. The user must:
• Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained.
• Obtain from the consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment.
• Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer.
· Before taking an adverse action, the user must provide a copy of the report to the consumer as well as the summary of consumer’s rights (The user should receive this summary from the CRA.) A Section 615(a) adverse action notice should be sent after the adverse action is taken.
An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2).
The procedures for investigative consumer reports and employee misconduct investigations are set forth below.
Special rules apply for truck drivers where the only interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report relied upon by the trucking company by contacting the company.
Investigative consumer reports are a special type of consumer report in which information about a consumer’s character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by an entity or person that is a consumer reporting agency. Consumers who are the subjects of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the following:
• The user must disclose to the consumer that an investigative consumer report may be obtained. This must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below, and the summary of consumer rights required by Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the investigation.)
• The user must certify to the CRA that the disclosures set forth above have been made and that the user
will make the disclosure described below.
• Upon the written request of a consumer made within a reasonable period of time after the disclosures required above, the user must make a complete disclosure of the nature and scope of the investigation. This must be made in a written statement that is mailed or otherwise delivered, to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later in time.
Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.
Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in federal regulations) – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or a permitted by statute, regulation, or order).
The FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circumstances. Sections 603(1), 604(c), 604(e), and 615(d). This practice is known as “prescreening” and typically involves obtaining from a CRA a list of consumers who meet certain preestablished criteria. If any person intends to use prescreened lists, that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer and grant credit or insurance, and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that:
• Information contained in a consumer’s CRA file was used in connection with the transaction.
• The consumer received the offer because he or she satisfied the criteria for credit worthiness or insurability used to screen for the offer.
• Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on credit worthiness or insurability, or the consumer does not furnish required collateral.
·The consumer may prohibit the use of information in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. The statement must include the address and toll-free telephone number of the appropriate notification system.
In addition, the CFPB has established the format, type size, and manner of the disclosure required by Section 615(d), with which users must comply. The regulation is 12 CFR 1022.54.
A. Disclosure and Certification Requirements
Section 607(e) requires any person who obtains a consumer report for resale to take the following steps:
• Disclose the identity of the end-user to the source CRA.
• Identify to the source CRA each permissible purpose for which the report will be furnished to the end-user.
• Establish and follow reasonable procedures to ensure that reports are resold only for permissible purposes, including procedures to obtain:
(1) the identity of all end-users;
(2) certifications from all users of each purpose for which reports will be used; and
(3) certifications that reports will not be used for any purpose other than the purpose(s) specified to the reseller. Resellers must make reasonable efforts to verify this information before selling the report.
Under Section 611(f), if a consumer disputes the accuracy or completeness of information in a report prepared by a reseller, the reseller must determine whether this is a result of an action or omission on its part and, if so, correct or delete the information. If not, the reseller must send the dispute to the source CRA for reinvestigation. When any CRA notifies the reseller of the results of an investigation, the reseller must immediately convey the information to the consumer.
Section 605A(f) requires resellers who receive fraud alerts or active duty alerts from another consumer reporting agency to include these in their reports.
Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619.
Citations for FCRA sections in the U.S. Code, 15 U.S.C. § 1618 et seq.:
15 U.S.C. 1681
15 U.S.C. 1681m
15 U.S.C. 1681a
15 U.S.C. 1681n
15 U.S.C. 1681b
15 U.S.C. 1681o
15 U.S.C. 1681c
15 U.S.C. 1681p
15 U.S.C. 1681cA
15 U.S.C. 1681q
15 U.S.C. 1681cB
15 U.S.C. 1681r
15 U.S.C. 1681d
15 U.S.C. 1681s
15 U.S.C. 1681e
15 U.S.C. 1681s-1
15 U.S.C. 1681f
15 U.S.C. 1681s-2
15 U.S.C. 1681g
15 U.S.C. 1681t
15 U.S.C. 1681h
15 U.S.C. 1681u
15 U.S.C. 1681i
15 U.S.C. 1681v
15 U.S.C. 1681j
15 U.S.C. 1681w
15 U.S.C. 1681k
15 U.S.C. 1681x
15 U.S.C. 1681l
15 U.S.C. 1681y
FIND OUT MORE